Effective as of October 18, 2020
ABOUT CDPHE, LOCAL PUBLIC HEALTH AUTHORITIES, AND CO EXPOSURE NOTIFICATIONS
CDPHE oversees public health efforts throughout the State of Colorado and works in conjunction with local public health authorities (LPHA), Health Information Exchanges (HIEs), and associated provider networks to provide notification to those who have been exposed to someone with COVID-19. CO Exposure Notifications is a service that allows CDPHE, LPHAs, or authorized health authorities to anonymously notify you if you may have been exposed to the virus that causes COVID-19.
USING THE SERVICE
Using CO Exposure Notifications is completely voluntary and you may choose to install and uninstall CO Exposure Notifications at any time. CO Exposure Notifications will never collect, track, or store your location, GPS information, or personal information.
ENABLING EXPOSURE NOTIFICATIONS
Enabling exposure notification in CO Exposure Notifications is your choice. You can enable and disable such notification at any time. CO Exposure Notifications must be enabled for CO Exposure Notifications to: exchange the random codes with other CO Exposure Notifications users who you come into close contact with; for you to receive exposure notifications; or for you to notify other CO Exposure Notifications users if you test positive for COVID-19 by sharing your random codes through a positive report.
HOW IT WORKS
CDPHE, LPHAs, and authorized health authorities will never collect or process any personally identifiable information from CO Exposure Notifications.
If an individual has installed CO Exposure Notifications on their device, that device will make a Bluetooth connection with other devices within their proximity to exchange random device keys if the other users have installed CO Exposure Notifications. These random device keys do not collect or process any location or personally identifiable information.
Individuals who have CO Exposure Notifications installed on their device and have a confirmed case or probable diagnosis of COVID-19 will be contacted by their LPHA, CDPHE, or an authorized health authority with a PIN that is randomly generated. If a user tests positive for COVID-19, they may choose to notify other CO Exposure Notifications users with whom they have had close contact. Providing notification to other CO Exposure Notifications users with whom you have had close contact is completely voluntary and does not reveal your identity. To trigger a notification to other users, the user who tests positive for COVID-19 must enter their valid, 8-digit PIN or use a PIN via a link that is sent in a text message. This PIN is used to verify your positive diagnosis and prevent false reports. This PIN is not associated with your identity.
Once the PIN is entered, CO Exposure Notifications’ algorithm will conduct a risk calculation using the time, duration, and Bluetooth signal (proximity indicator) for potential contacts. CO Exposure Notifications will notify other CO Exposure Notifications users who meet criteria for being a close contact as having a potential exposure risk. CO Exposure Notifications’ notification will state that the user may have potentially been exposed to a COVID-19-infected individual and will provide instructions on how and where to get tested. Such notifications will not include the potentially infected individual’s identity or the date, time, or location of the exposure.
All random device PINs provided by an LPHA, CDPHE, or an authorized health authority will not include any location or identifying information. All PINs are anonymous and auto-generated. The Bluetooth identifiers, random device keys, and associated metadata are deleted from your device on a rolling, 14-day window.
PAUSING OR TERMINATING PARTICIPATION
Participation in CO Exposure Notifications may be terminated at any time by deleting or uninstalling CO Exposure Notifications from your device. Participants may also pause CO Exposure Notifications at their discretion. After CO Exposure Notification is deleted or uninstalled, your device will no longer generate or exchange random codes with other users’ mobile devices. Any random codes that were previously shared with other CO Exposure Notifications users will be automatically deleted after 14 days from the date the code was generated.
The following event data may be processed and collected in CO Exposure Notifications:
- Installing CO Exposure Notifications.
- Receiving an exposure notification.
- Submitting a verified PIN.
- Downloading anonymous tokens for positive users that have chosen to notify others.
CDPHE uses the above event information to understand how CO Exposure Notifications is being used. This data may be shared with CDPHE, public health entities or authorized health authorities. It may also be used in an aggregate and anonymous form for statistical or scientific research purposes. This information will not include any personal or location information nor will it be used to identify any CO Exposure Notifications user. CDPHE or LPHA may also define and send metadata related to your transmission risk including how the diagnosis was reported.
OPTING OUT OF PUSH NOTIFICATIONS
If you opt-in to receive push notifications within CO Exposure Notifications, it may send push notifications or alerts to your mobile device from time to time. You may deactivate push notifications and alerts at any time by deleting or disabling CO Exposure Notifications, changing your device settings, or changing the push notification settings within CO Exposure Notifications.
CO Exposure Notifications is not intended for children under the age of 13, and CDPHE does not knowingly allow a child under 13 to use the service. If you are between the ages of 13 and 17, you can only use CO Exposure Notifications if your parent or legal guardian has reviewed and agreed to the Terms of Service on your behalf.
Colorado Department of Public Health and Environment
Re: CO Exposure Notifications
4300 Cherry Creek Drive South
Denver, CO 80246